Join Jason Pufahl, Steve Maresca, and Matt Fusaro on this episode of CyberSound, as they discuss the meaning and purpose of network segmentation. Listen to learn how companies can get the most of out of network segmentation, today.
What Does Network Segmentation Really Mean?
Listen to this episode on
[00:00:01.210] – Narrator
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity with your hosts, Jason Pufahl and Steven Maresca.
[00:00:12.170] – Jason Pufahl
Welcome to Cybersound. I’m your host, Jason Pufahl, joined by Steve Maresca and Matt Fusaro. Hey, guys.
[00:00:17.900] – Matt Fusaro
[00:00:18.610] – Steve Maresca
[00:00:19.900] – Jason Pufahl
Today, we’re going to talk a little bit about network segmentation. I feel like something that comes up all the time. Maybe your managed service provider has told you that you need to do network segmentation. Maybe your insurance carrier has told you; maybe your internal engineers have told you. What does it actually mean? Does it really do anything for you? What’s the value of moving down the path of doing all that work? Matt, I think you’re the logical person to kick this over to start.
[00:00:45.730] – Matt Fusaro
Yeah. I’ve spent quite a few years doing this, implementing VLANs for networks and implementing segmentation, sometimes even on a global scale. And the thing I find almost every time is that it was either done wrong when I come in there or the plan that I’m asked to implement just isn’t sufficient. What does that mean? Especially these days, we want to see different servers, different applications, different users in different places of the network that have some type of policy that governs how they can interact with other users or applications.
[00:01:26.030] – Matt Fusaro
When you have network segmentation, most of the time all we see is some networking that got changed around. That never really affects anything because, at the end of the day, we can still get everywhere we want to. Traffic can go from one user VLAN to another user VLAN. If you’re not familiar with VLAN, VLANs are basically just a logical network that gets created inside your equipment. It’s not something that you would necessarily see if you walked into a switch closet.
[00:01:52.610] – Steve Maresca
Common sins of the past usually include VLANs and segments that are building-specific or floor-specific or entirely divorced from the systems that they might contain locally on that network or things of that variety. Network segmentation for network segmentation’s sake, not necessarily because it serves a purpose.
[00:02:12.540] – Jason Pufahl
Yeah, not for security.
[00:02:13.240] – Steve Maresca
[00:02:14.250] – Matt Fusaro
In the past, a lot of times you would see this happen to make your broadcast domain smaller when that was a real issue, not so much an issue anymore. But back in the day, hardware couldn’t handle all of that happening all the time. The other reasons you would see is for troubleshooting. We want to know what network certain traffic is coming from, or we want to make some general policies on our firewall that says the finance department can only go to these particular websites.
[00:02:45.890] – Matt Fusaro
But you would only see that at the edge; that will be on your edge firewall. What we need to have today because of the way threats are… Lateral movement is a huge issue. Lateral movement is an attacker moving from one system to another. They need to be able to get to services to do that. And a lot of times they shouldn’t even be able to see them. A good example is going between VLANs inside your network. So, a VLAN that supports your engineering network shouldn’t necessarily talk to your administrative IT department.
[00:03:19.730] – Steve Maresca
And lateral movement that we see in security instance we manage usually starts from your edge, your workstations, and works inward towards the more sensitive systems. And a lot of that is data-centric; it’s privilege-centric. And thinking about that flow is really central to proper network segmentation.
[00:03:40.430] – Matt Fusaro
Yes, exactly. Understanding the flow is important. That’s going to basically inform your policy and what types of applications and services your user should be able to get to. The thing we see that’s done wrong all the time is there’s no policy ever applied. This is done most of the time because it’s easy. People want to have less complex networks, and this is totally understandable. They don’t necessarily want to be putting the ACLs on their routers. They don’t want to make a whole bunch of firewall rules. But I’ll tell you, their minds change very quickly after an incident happens.
[00:04:22.790] – Matt Fusaro
We’ve actually had to basically rebuild networks on the fly because of how permissive they were just to get people back up during a ransomware incident. What we like to see now is policy between these things. And typically you’ll see that done on a firewall. Internally, you’ll see that on a firewall. We never really were able to do this because we just didn’t have firewalls that were even capable of handling this. Steve, I’m sure you remember the days of your PIXs and ASAs that you’re lucky you can get a meg…[inaudible laughing 00:04:55].
[00:04:57.410] – Matt Fusaro
But now we’ve got firewalls that are doing line rate inspection at this point. And we’re not necessarily expecting people to be running AV engines on their firewalls for internal traffic, but at least defining the services they should get to. We should at least be there at this point.
[00:05:12.480] – Steve Maresca
And we’re operating in a realm today where your firewall rules can include identities and roles. We are in a far more granular and informed way of applying policy. Instead of simply assuming, “Hey, that IP is assigned to that floor and those are users,” we can go far more effectively and apply policy today.
[00:05:33.540] – Matt Fusaro
Right. And you’ve probably not seen this a lot because there was a lot of pushback from your networking engineers.
[00:05:40.600] – Matt Fusaro
Networking engineers. Their entire purpose is to give you a clear line that is as fast as possible. That is their only job. Now, put a firewall on the way, you can’t get the things on purpose through policy. You might introduce some latency, but sometimes it’s expected. And again, the equipment we have these days, the chips that we’ve got, they’re just not getting in the way like they used to. So it’s an old excuse at this point that we don’t want to put something in the way. That’s quite frankly something we need to change.
[00:06:15.890] – Jason Pufahl
We started this by saying, “Why do we need to do it?” So I want to come back to that a little bit because I actually think it’s important to make sure we enumerate that as clearly as we can. Poorly implemented network segmentation still can give you the ability during an incident to at least make, potentially, some policy-based decisions to help keep certain parts of the network up, maybe, or certain parts of the network isolated. And I agree with you fully.
[00:06:46.550] – Jason Pufahl
Implementing it for networking sake but not necessarily security sake probably doesn’t buy you a ton. In an emergency, you’ll get a little bit of value out of it. I think we can all agree on that. We regularly see organizations that have to run through outdated equipment and potentially putting them into isolated networks provide some ability, like a compensated control. Some ability to isolate those from other modern systems or better-protected systems, that’s definitely a quality you can get out of this, right?
[00:07:18.550] – Matt Fusaro
Yeah, we’re asked about that all the time. We do a vulnerability assessment, and it’s an application that they either need to go to a vendor to upgrade or just don’t have support anymore. That’s the answer, yes. Segment it out, make it on its own–own network, own VLAN–and your mitigation is now some type of ACL or firewall. However, we can manage that traffic. Getting to that service is how you get around that.
[00:07:44.840] – Steve Maresca
Similarly, you have users that maybe want access to the Internet, maybe they are guests on your wireless network. Segmentation allows them to be off in their own little area, safe, and not even able to touch internal systems. Similar kind of concept. You can make a walled garden where really restrictive policies can be deployed without necessarily bleeding over into other parts of your network.
[00:08:08.130] – Steve Maresca
Common practice for orgs that have credit card processing requirements, because if you don’t segregate those systems, the actual standard requirements actually flow into other systems and make policies a bit more onerous than we’d like them to be for users, for example.
[00:08:27.910] – Matt Fusaro
You’ll see a lot of fringe benefits out of this, too. You’d be amazed at some of the insight that you can get, especially on your firewall. If you put a firewall between your VLANs, you’re now getting a whole bunch of insight into what types of traffic are actually going on inside your network at that point. A lot of people do not have that view when you’re just running it on your switches or your routing equipment. And if you wanted to get that insight, it’s actually a pretty big lift. I know Steve ran quite a bit of that network packet inspection stuff at a pretty large scale. It was not easy.
[00:08:59.160] – Steve Maresca
No, it’s not. But it’s achievable. And even getting samples over a very busy link are still meaningful from decision making for traffic characterization and things of that sort. Visibility is key in security. And when you can carve up your network and your devices and your users into logical areas that are separate from one another, making sense of the data that you have is fundamentally cleaner.
[00:09:23.810] – Steve Maresca
And in a security incident, really critical. It helps you find a threat. In a more business operation standpoint, it can say, “Hey, that department over there uses a ton of network bandwidth. Maybe we need to have a conversation with them. Perhaps we can save some money.” Lots of different secondary outcomes from having good data that’s facilitated by segmentation.
[00:09:44.670] – Matt Fusaro
That’s a good point. You can get some business insight into it. Applications that aren’t necessarily used anymore that are still being paid for and hosted, you can get some insight on that. I think what business owners need to be aware of is when your IT department comes to you and says, “We need to do a network segmentation project,” make sure that there’s some type of security portion of that. Are we making policy or are we just dividing up the network? That stuff should really be part of the plan at that point.
[00:10:16.550] – Jason Pufahl
It’s interesting, that incident response piece because we regularly roll into an incident, wish there was more segmentation in place. But I think, conversely, it helps with the continuity efforts as well because we oftentimes have to keep parts of the network up for business reasons. Maybe it’s an ERP or something like that.
[00:10:37.310] – Steve Maresca
Honestly, it’s a thought I was having just at the moment where Matt was talking. Network segmentation allows quick, low-impact decisions in an incident. Otherwise, you may take out your entire network.
[00:10:50.660] – Jason Pufahl
That’s such a good point, low-impact part.
[00:10:52.580] – Steve Maresca
And many organizations are hesitant to actually disconnect network traffic flow between segments, between users, and the Internet. If you have good segmentation, you can do that with a flip of a switch in a discreet way for a small number of systems and make meaningful containment capabilities available at your fingertips.
[00:11:13.630] – Jason Pufahl
And if you recall, when we did our incident response episode, one of the top couple of things to do, I think, was the number one, was separate or shut down a variety of different network segments. Shut it down to the Internet. Shut it down internally. This does allow you to do that in, say, a low impact way potentially.
[00:11:33.570] – Steve Maresca
And it’s not just us saying this at this point. It’s Department of Homeland Security, our peers in the security engineering space. This is a step that’s critical, and segmentation makes it really easy to lift.
[00:11:46.270] – Jason Pufahl
Matt, you mentioned doing it via firewall policy, and you also mentioned doing it via ACL. I feel like back in the day ACL was a dirty word. Nobody wanted to have a network full of ACLs. Any easier now? Any different now? Do you prefer to do it via firewall policy?
[00:12:03.660] – Matt Fusaro
This is a tough one because this is going to depend on how good your networking stack is. So if you’re a smaller organization, you probably don’t have access to the fancy management tools that are available. In that case, you want to do this on a firewall. That’s the right place to do it.
[00:12:22.120] – Jason Pufahl
Built for it.
[00:12:22.840] – Matt Fusaro
Yeah. If you’ve got more advanced networking equipment, there are management systems out there and quite honestly, the hardware is ready to do this stuff. It’ll do that on the fly for you. It’s much simpler to do. There’s a management interface for it. It’s not all CLI-based. It’s something you can audit. When you are trying to do this on a scale where you really only have a single router and it’s all CLI-based and maybe there’s two people in the organization that know how to use that, probably not the right place to do it.
[00:12:53.460] – Jason Pufahl
Do you think everybody even knows what CLI means now?
[00:12:58.010] – Matt Fusaro
[00:12:59.600] – Jason Pufahl
Command-line interface–actually typing instead of using some point and click management console.
[00:13:05.660] – Steve Maresca
The key that I want to emphasize with the management infrastructure that you’re getting to is consistency of application across equipment. Otherwise, it’s going to require individuals logging into systems and applying policy, hopefully consistently. And in our experience, that’s never the case.
[00:13:23.130] – Jason Pufahl
Yeah, it’s so hard.
[00:13:24.950] – Steve Maresca
Those tools allow revision tracking. They allow broad changes to be applied everywhere. And more importantly, they tend to be accompanied by secondary benefits like the ability to tie VLAN placement for a user and a workstation to their authentication and their role. Those related services mean dynamic application of policy in a way that’s frankly not possible without those tools in place.
[00:13:52.540] – Matt Fusaro
I think what this is all boiling down to is you need to be able to apply policy properly, and you can’t do that if you just let network traffic go wherever you want it to.
[00:14:05.070] – Jason Pufahl
It really does seem… Because, Steve, you hinted on this twice now from the user-based piece of it. It’s fine to have it be a purely network segmentation activity. But it’s great if you tie it with identity and make it a more intelligent product, ultimately.
[00:14:23.530] – Steve Maresca
Right. You don’t necessarily have to start there. That’s an advanced next step. It’s just a way of introducing some flexibility in an organization that might be tied to physical location or subnet or something like that. It’s a way to bypass, let’s call them inefficiencies in network size or aspects of that.
[00:14:46.060] – Jason Pufahl
And that’s easier now because a lot of these products integrate directly into Active Directory or some of these other identity-based tools.
[00:14:53.230] – Matt Fusaro
And it allows your users to be more mobile between departments. And your role is now going to define how you interact with services instead of necessarily physically where you are.
[00:15:04.470] – Steve Maresca
Bottom line for me is not overthinking this, because I see orgs that are bristling with VLANs. It’s no longer appropriate. VLAN is associated with specific types of data, VLAN is associated with specific types of devices and specific types of users. That’s where you want to be.
[00:15:24.730] – Steve Maresca
And if you can be as simple as possible, for example, your public data, your sensitive data, your regulated data, those might be really excellent buckets to carve up some of your systems and your users. If you can do that, policies become simple. And honestly, when we’re dealing with policies and security enforcement, being manageable and being simple and easy to understand is absolutely critical.
[00:15:50.870] – Jason Pufahl
I want to wrap up with what I think is a simple question. I’ll be surprised if it’s not. Some of these conversations we have, we say, “Well, you may or may not want to move in the direction we just described.” Zero trust, certain technology we’ve outlined. Is there any reason you wouldn’t suggest a company to move forward with network segmentation?
[00:16:21.070] – Matt Fusaro
If your branch offices or even your main offices are just not that large. If we’re talking about a presence of 10 people, it may be complexity that just isn’t required. It depends on your data and your purpose of what you’re doing. I can’t think of anything.
[00:16:39.930] – Jason Pufahl
But aren’t you even in that case, like maybe getting a guest wireless network? [crosstalk 00:16:44] So you’re still segmenting something.
[00:16:46.440] – Steve Maresca
But I think a really good defining characteristic is what you’re leading into, Matt, whether there are users co-resident in that location with servers or other support systems. If they’re not, then it’s a much simpler discussion to be had. And honestly, from a wireless access perspective, most wireless devices actually have standalone networks for guests at this point. It’s inherently segmented.
[00:17:13.100] – Jason Pufahl
[00:17:13.700] – Steve Maresca
Right. So that would be a scenario to me, where segmentation at that smaller scale is simply not necessary. Maybe the segmentation occurs between that branch office and a central office or something like that. But then there’s a firewall link and it’s relatively straightforward to apply.
[00:17:30.070] – Jason Pufahl
So the answer generally feels like, yeah, you always want some amount of segmentation. You need to think about your population and even if your population is guests visiting an office versus full-time employees, who are always in an office. Right?
[00:17:43.480] – Steve Maresca
[00:17:44.210] – Matt Fusaro
You always have the capability there.
[00:17:46.170] – Jason Pufahl
Yeah, that’s reasonable.
[00:17:47.210] – Steve Maresca
It’s common sense. You don’t want your printers being able to access your databases. It doesn’t make any sense.
[00:17:52.440] – Jason Pufahl
We could have a whole discussion on printers. [crosstalk 00:17:54] I want to avoid that. Wrapping up, for the most part, there’s really only benefit for doing this. I think a lot of the complexity around management is gone nowadays. Certainly, the hardware supports it a lot better than it used to. There’s purpose-built devices and you can integrate it with identity. We strongly advocate that people move towards this. It’s a pretty fundamental network security architecture in a lot of ways.
[00:18:23.820] – Jason Pufahl
Surprisingly, we just don’t see a lot of companies that have implemented or networks a decade ago. Maybe they haven’t moved toward that. And as always, we’re interested in keeping the conversation going. If you want to hear more about this topic, maybe, or explore other topics, reach out to us on LinkedIn. Just search, Vancord. We’re @VancordSecurity on Twitter. We’re happy to have a conversation going forward. We hope you got some value out of today’s discussion .
[00:18:50.150] – Narrator
Stay vigilant, stay resilient. This has been CyberSound.